Cisco IOS Subnetting

[Gamingphreek]

I have 3 Cisco routers running IOS 12.4

FastEthernet0/0 is WAN and FastEthernet0/1 is LAN.

I have 3 static routes defined.
ip route x.x.x.0 x.224 [Send to Site A]
ip route y.y.y.32 y.224 [Send to Gateway for Site B]
ip route z.z.z.64 y.224 [Send to Gateway for Site C]

I'm sitting at site A. From WAN and LAN side I can ping Site B. I can ping Site C from WAN side, but not from LAN side.

I don't have any access-lists defined and have removed all the access-class entries.

Is there something I am doing wrong that prevents me from routing traffic from LAN-Site C and vice versa?

Thanks,
-GP

 

[her209]

If I'm understanding you correctly, sitting at site A, you can't ping site C. Is that correct?

Could be that there's no route for site C in router at site A's routing table. Or the router at site C doesn't have a route back to site A.

 

[Gamingphreek]

Correct I am sitting at Site A.

So you are saying that, outside of static routes, there may not be information in the routing table?

How would I edit that?

-GP

 

[her209]

Can you post a diagram with the sites?

 

[her209]

Is your network setup like this?

 

[imagoon]

I think you are seeing the geometric growth issue of static routes but basically all routers will need to know about other subnets on the network. Using the gateway of last resort can work for this but is not recommended because it makes things like accessing the internet harder.

So if you have A <-> B <-> C:

You need:
Static
On router A)
net B via Router B
net C via Router B
on router b)
net A via Router A
Net C via router C
on Router c)
Net B via router B
Net C via router B

So that A pinging C will get:

default gateway to router A. Router A -> router B. Router B -> Router C -> device on C.
Then the reply
device on C -> default gateway to router C. Router C to Router B. Router B to router A. Router A to Device on A.

Make sense at all?

 

[Gamingphreek]

Here is my diagram.

Just know that the hubs are 100% required and they are transparent. My hub has 2 static routes in it to Site A and Site B and both are 100% verified to work. The issue is within my router.

Additionally, Site B and Site C cannot talk to each other and their equipment has no idea they exist.

I simplified the routes and simply said:
ip route 0.0.0.0 0.0.0.0 [Hub]
ip route x.x.x.0 255.255.255.224 [Site A]

Hope this clarifies some things (I don't believe I am running into a geometric growth problem, but if you think I am after seeing my diagram, we can address it then)

-GP

 

[MtnMan]

You said:

My hub has 2 static routes in it to Site A and Site B and both are 100&#37; verified to work.

Do you mean a normal Ethernet Hub? Hubs don't have configurations, they are just dumb boxes that just retransmit frames.


What routes are configured on the router that connects to site C?

It has to have a route back to the site A network.

Is that firewall actually there? How is it configured?

How about posting the actual routing tables of all 3 routers (show ip route)

You said:

I have 3 static routes defined.
ip route x.x.x.0 x.224 [Send to Site A]
ip route y.y.y.32 y.224 [Send to Gateway for Site B]
ip route z.z.z.64 y.224 [Send to Gateway for Site C]

Is this on the router that connects to site A?

If so the first statement is unnecessary, because it is a directly connected network.
When you said "Send to Gateway for Site C" do you mean the gateway for the site C network? That won't work, needs to be the IP of the WAN side of the router for site C.

Is the workstation in the site C network actually configured correctly, with the correct default gateway?

 

[Gamingphreek]

You said:

Do you mean a normal Ethernet Hub? Hubs don't have configurations, they are just dumb boxes that just retransmit frames.

Yes, you are right about the hubs, but I don't have another way of describing this configuration right now. Consider the hubs a service that does VPN - simply takes the traffic and throws it to one of the other hubs. Site A's hub has static routes to Sites B and C. Site B and C's respective hubs have a static route back to Site A.

What routes are configured on the router that connects to site C?

Site A's router has a static route to forward traffic bound for .0-.32 IP Address range back to my ASA Firewall. It has a default route to send all other traffic to the hub.

It has to have a route back to the site A network.

It does

Is that firewall actually there? How is it configured?

Site C's firewall is transparent to this connection. In essence, this connection is in the DMZ

How about posting the actual routing tables of all 3 routers (show ip route)

ip route 0.0.0.0 0.0.0.0 [Hub]
ip route x.x.x.0 255.255.255.224 [Site A]

You said:
Is this on the router that connects to site A?

If so the first statement is unnecessary, because it is a directly connected network.
When you said "Send to Gateway for Site C" do you mean the gateway for the site C network? That won't work, needs to be the IP of the WAN side of the router for site C.

What I mean is to send the traffic to the hub and the hub will route it correctly.

Is the workstation in the site C network actually configured correctly, with the correct default gateway?

Yes

The main problem is getting the connection to go from LAN->WAN.

If I source my pings:
Site A-WAN ----> Site B (All devices)
Site A-LAN -----> Site B (All devices)
Site A-WAN ----> Site C (All devices)
Site A-LAN --X--> Site C (All devices)

The problem is definitely in my router, I just have no idea why it isn't mapping from LAN->WAN correctly.

-GP

 

[MtnMan]

But which router...

Post the routing table for all 3 routers, then we have something to work with.

When the ping A ---> C fails, what message do you get (timeout.... unreachable...)?

 

[spidey07]

But which router...

Post the routing table for all 3 routers, then we have something to work with.

When the ping A ---> C fails, what message do you get (timeout.... unreachable...)?

This. The other routers need to know how to reach router A and it's networks, you need to consider the path BACK to you as well.

 

[Gamingphreek]

But which router...

Post the routing table for all 3 routers, then we have something to work with.

When the ping A ---> C fails, what message do you get (timeout.... unreachable...)?

Routing Table A:
x.x.x.0 255.255.255.224 [ASA Firewall]
0.0.0.0 0.0.0.0 [My Hub]

Routing Table B:
x.x.x.0 255.255.255.224 [Site B Hub]

Routing Table C:
x.x.x.0 255.255.255.224 [Site C Hub]

So in B and C's case, the traffic does get back, it just sends it to the VPN hub which brings it back.

When I ping from A ---> C, in IOS nothing displays. From one of the clients or the ASA Firewall at Site A, I get "timeout".

When I do a 'traceroute' from the Site A router with the source IP set to my LAN-side interface, it displays '* * *' endlessly.

When I do a 'traceroute' from the Site A router with the source IP set to my WAN-side interface, I see the one hop and then the command completes successfully.

When I do a 'tracert' from a Site A Client, my router is displayed and then everything times out from there.

Thanks,
-GP

 

[imagoon]

Routing Table A:
x.x.x.0 255.255.255.224 [ASA Firewall]
0.0.0.0 0.0.0.0 [My Hub]

Routing Table B:
x.x.x.0 255.255.255.224 [Site B Hub]

Routing Table C:
x.x.x.0 255.255.255.224 [Site C Hub]

So in B and C's case, the traffic does get back, it just sends it to the VPN hub which brings it back.

When I ping from A ---> C, in IOS nothing displays. From one of the clients or the ASA Firewall at Site A, I get "timeout".

When I do a 'traceroute' from the Site A router with the source IP set to my LAN-side interface, it displays '* * *' endlessly.

When I do a 'traceroute' from the Site A router with the source IP set to my WAN-side interface, I see the one hop and then the command completes successfully.

When I do a 'tracert' from a Site A Client, my router is displayed and then everything times out from there.

Thanks,
-GP

Ignoring potential firewall issues you need to do what I posted. I assume this is some sort of MPLS but real routing tables would help a lot.

It looks like to me you are using 0.0.0.0 (gateway of last resort) incorrectly.

This will be my examples:
10.0.1.0 Net A
10.0.2.0 Net B
10.0.3.0 Net C
10.10.1.0 WAN A = 1 B = 2 C = 3

Router A
(for b) Route 10.0.2.0 255.255.255.0 10.10.1.2
(for c) Route 10.0.3.0 255.255.255.0 10.10.1.3

Router B
(for a) Route 10.0.1.0 255.255.255.0 10.10.1.1
(for c) Route 10.0.3.0 255.255.255.0 10.10.1.3

Router C
(for a) Route 10.0.1.0 255.255.255.0 10.10.1.1
(for b) Route 10.0.2.0 255.255.255.0 10.10.1.2

Those static routes would fully converge your network. Adding in internet using the gateway of last resort would depend on how you needed / wanted to handle that traffic. Either 0.0.0.0 0.0.0.0 would point to an Inet IP or they would point to another internal network first if you were filtering etc.

The geometric thing is what happens with static routes. As you add more networks, the number of static routes required and the number of devices maintained quickly goes up, were 1 new network may equal only 4 commands and 4 devices at one point it, later on after some growth, 1 network added = 64 lines in 64 devices configured etc. IE after about 4-5 networks you want to use a dynamic routing protocol.

 

[MtnMan]

Routing Table A:
x.x.x.0 255.255.255.224 [ASA Firewall]
0.0.0.0 0.0.0.0 [My Hub]

Routing Table B:
x.x.x.0 255.255.255.224 [Site B Hub]

Routing Table C:
x.x.x.0 255.255.255.224 [Site C Hub]

Not enough information to work with. The actual routing table (show ip route output) is needed, not your summation with ambiguous names, you might be reading something into them that just isn't there, or missing something that is.

Every router must have an entry for every network that it is not directly connected to. Also since the WAN side of your network is a multipoint, the default route won't forward traffic to B or C depending on the destination, but only to B or only to C, depending on the next hop address it is configured with.

 

[spidey07]

router eigrp 1
network 10.0.0.0
no auto-summary

There, done.

 

[MtnMan]

router eigrp 1
network 10.0.0.0
no auto-summary

There, done.

On all 3 routers

 

[spidey07]

On all 3 routers

Provided his cloud there can handle multicast.

 

[MtnMan]

Provided his cloud there can handle multicast.

Or are we looking at a Frame Relay dlsi configuration problem What is the mystery multipoint network?

 

[Gamingphreek]

router eigrp 1
network 10.0.0.0
no auto-summary

There, done.

Wait would this work even though traffic is being directed through the VPN hubs? I don't want Site B to be able to contact Site C or know that it exists - it should see a point to point connection with Site A.

Not enough information to work with. The actual routing table (show ip route output) is needed, not your summation with ambiguous names, you might be reading something into them that just isn't there, or missing something that is.

I'll give you as much information as I can, though some will be replaced with arbitrary values:

Gateway of last resort is 10.1.2.2 to network 0.0.0.0
   10.1.0.0/30 is subnetted, 2 subnets
C   10.1.1.0 is directly connected FastEthernet0/0
C   10.1.2.0 is directly connected FastEthernet0/1
   192.0.0.0/27 is subnetted, 1 subnet
S   192.168.0.0[1/0] via 10.1.2.0
S* 0.0.0.0/0[1/0] via 10.1.1.0

When I do a 'show run' my static routes are listed as:
ip route 0.0.0.0 0.0.0.0 10.1.1.0
ip route 192.168.0.0 255.255.255.224

Is that sufficient, or did I leave something out that might help?

Thanks,
-GP

 

[MtnMan]

Is that sufficient, or did I leave something out that might help?

Thanks,
-GP

Need the routing table from other routers, especially the one for the C site.

I have 3 static routes defined.
ip route x.x.x.0 x.224 [Send to Site A]
ip route y.y.y.32 y.224 [Send to Gateway for Site B]
ip route z.z.z.64 y.224 [Send to Gateway for Site C]

Are the 3 site networks, a subnet of the same classful, or are they completely different.

Your 'arbitrary' values don't match your original post which makes me wonder if they are too arbitrary to actually troubleshoot, which indicates a class subnetted, but is x.x.x the same as or different than y.y.y or z.z.z

 

[Gamingphreek]

Need the routing table from other routers, especially the one for the C site.

Are the 3 site networks, a subnet of the same classful, or are they completely different.

Your 'arbitrary' values don't match your original post which makes me wonder if they are too arbitrary to actually troubleshoot, which indicates a class subnetted, but is x.x.x the same as or different than y.y.y or z.z.z

I'm sorry - x.x.x is definitely the same as y.y.y.

Ugh I'm so sorry this is stupidly vague. I know I'm not making this easy

I'll be able to provide the other 2 routing tables tomorrow, but I'm a little confused as to why any of this is necessary at this point. If Site A has connectivity via WAN and LAN to site B, but only has WAN connectivity to Site C, that should clearly be a problem with the routing table in Site A's router.

Could you explain to me what we troubleshooting at this step? I'm sure you guys have your reasons in asking for all of this, but I'm just interested in what is going through ya'lls mind.

Thanks,
-GP

 

[spidey07]

You have to consider how the traffic RETURNS to router A. That would dictate you need to look at the routing tables on the other routers.

 

[Gamingphreek]

You have to consider how the traffic RETURNS to router A. That would dictate you need to look at the routing tables on the other routers.

But the ECHO is sent an the ECHO-REPLY is received when sent from WAN-side. It isn't sent or received from LAN-side for this particular site.

If this happened with both sites, I could understand it being a problem with the remote configuration; however, doesn't it mean that Site A's router is the problem?

Don't get me wrong, I'm more than happy to post, I'm just trying to understand where everyone is coming from and, hopefully, learn something from it.

Thanks,
-GP

 

[MtnMan]

You have to consider how the traffic RETURNS to router A. That would dictate you need to look at the routing tables on the other routers.

Yea this ^^^^

The router at the C site need to know how to get back to the site "A" LAN network.

 

[MtnMan]

But the ECHO is sent an the ECHO-REPLY is received when sent from WAN-side. It isn't sent or received from LAN-side for this particular site.

Yes, because the WAN side of all the routers are on the same network. Networks that are directly connected to an interface are automatically put in the routing table. The LAN side of Site A will not be in the routing table of the C router, unless configured or a routing protocol is configured.